New Phishing Campaign Exploits Fake PayPal Alerts to Hijack RMM Tools A recent surge in phishing attacks is leveraging fake PayPal alerts to compromise both personal and corporate systems through legitimate remote monitoring and management (RMM) tools. CyberProof’s advisory, published on Tuesday, details a shift from seasonal lures such as holiday invites or tax notices to high-urgency financial scams designed to prompt immediate action. Researchers analyzed six incidents across customer environments, including one case where an employee’s personal PayPal account became the initial entry point. On January 5, 2026, CyberProof’s Managed Detection and Response (MDR) team detected suspicious activity that later escalated into corporate access. The attack began with a fraudulent PayPal email, followed by phone-based social engineering. Posing as support staff, the attacker convinced the victim to install LogMeIn Rescue, later switching to AnyDesk to maintain persistence all without triggering endpoint detection and response (EDR) alerts. The attackers employed a tactic of using one RMM tool to install another, a method also observed in recent Broadcom research. This redundancy may help evade detection and exploit trial licenses before they expire. Artifacts from the attacks included multiple LogMeIn Rescue binaries and evidence of active remote sessions. Persistence was achieved through a scheduled task and a disguised startup shortcut, mimicking legitimate system activity. While the immediate goal appears financial, CyberProof warned that such access could be sold to advanced persistent threat (APT) groups, leading to full corporate compromise or ransomware deployment. The firm highlighted the risks of RMM tool abuse and the need for stronger phishing controls, restricted network access to common RMM ports, and the avoidance of exposed remote services like RDP.